Malware Analysis Report

2024-10-18 23:42

Sample ID 240812-al8bfswdpr
Target ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e
SHA256 ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e
Tags
amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e

Threat Level: Known bad

The file ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora credential_access discovery evasion persistence stealer trojan

Amadey

Stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Executes dropped EXE

Identifies Wine through registry keys

Checks BIOS information in registry

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Browser Information Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies registry class

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-12 00:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-12 00:19

Reported

2024-08-12 00:21

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\287dd4930a.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\287dd4930a.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4188 set thread context of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 840 set thread context of 4296 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\956ba0e9e9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\7906e48338.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1148 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1148 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 1148 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 212 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe
PID 212 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe
PID 212 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe
PID 4188 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4188 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4188 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4188 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4188 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4188 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4188 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4188 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4188 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4188 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 212 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\956ba0e9e9.exe
PID 212 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\956ba0e9e9.exe
PID 212 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\956ba0e9e9.exe
PID 840 wrote to memory of 4952 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 840 wrote to memory of 4952 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 840 wrote to memory of 4952 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 840 wrote to memory of 1096 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 840 wrote to memory of 1096 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 840 wrote to memory of 1096 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 840 wrote to memory of 924 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 840 wrote to memory of 924 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 840 wrote to memory of 924 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 840 wrote to memory of 4296 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 840 wrote to memory of 4296 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 840 wrote to memory of 4296 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 840 wrote to memory of 4296 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 840 wrote to memory of 4296 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 840 wrote to memory of 4296 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 840 wrote to memory of 4296 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 840 wrote to memory of 4296 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 840 wrote to memory of 4296 N/A C:\Users\Admin\1000037002\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 212 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\7906e48338.exe
PID 212 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\7906e48338.exe
PID 212 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\7906e48338.exe
PID 2068 wrote to memory of 3976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2068 wrote to memory of 3976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3976 wrote to memory of 1116 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 3608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 3608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 3608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 3608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 3608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 3608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 3608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 3608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 3608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 3608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1116 wrote to memory of 3608 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe

"C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\956ba0e9e9.exe

"C:\Users\Admin\1000037002\956ba0e9e9.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\7906e48338.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\7906e48338.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2012 -parentBuildID 20240401114208 -prefsHandle 1936 -prefMapHandle 1928 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da708147-397a-45ab-9409-447d8d920bd5} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2448 -parentBuildID 20240401114208 -prefsHandle 2432 -prefMapHandle 2428 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15514122-c61c-436b-8c30-83f6b46c3620} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1576 -childID 1 -isForBrowser -prefsHandle 2968 -prefMapHandle 3204 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d3b098f-d7c9-4a29-b1a7-c0b66c3004ad} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2680 -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 3632 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0b3f03b-17d2-4575-9c7a-9aa33a06d735} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4688 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4648 -prefMapHandle 4644 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71bf4753-179a-4fcd-a545-4219481967ed} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5620 -childID 3 -isForBrowser -prefsHandle 5612 -prefMapHandle 5608 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {715a827a-8638-4ecb-9d93-02ab4170b983} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5884 -childID 4 -isForBrowser -prefsHandle 5844 -prefMapHandle 5876 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {804c5693-a8ec-4a02-9c71-85336d039aff} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5892 -childID 5 -isForBrowser -prefsHandle 5772 -prefMapHandle 5644 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76198f52-577d-48ec-9c1f-fe2a0de028eb} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6228 -childID 6 -isForBrowser -prefsHandle 6308 -prefMapHandle 6304 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8cd19a29-3e2d-46be-b59a-5afcc7866233} 1116 "\\.\pipe\gecko-crash-server-pipe.1116" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
N/A 127.0.0.1:61733 tcp
US 8.8.8.8:53 205.86.155.35.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
N/A 127.0.0.1:61740 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.209:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r3---sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3---sn-4g5edn6k.gvt1.com tcp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 209.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 r3.sn-4g5edn6k.gvt1.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 8.8.8.8:53 136.111.125.74.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/1148-0-0x0000000000DC0000-0x0000000001270000-memory.dmp

memory/1148-1-0x0000000077E84000-0x0000000077E86000-memory.dmp

memory/1148-2-0x0000000000DC1000-0x0000000000DEF000-memory.dmp

memory/1148-3-0x0000000000DC0000-0x0000000001270000-memory.dmp

memory/1148-4-0x0000000000DC0000-0x0000000001270000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 089886bf7e26432d1b8871ad0fad7a6f
SHA1 658b258103dfa62705e1a8d3a1cc3a0da105c9f7
SHA256 ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e
SHA512 72006c3cfcbba34bfcbc8e4404eef75067ce5945529ae5802bc3b4a4790781ec032ded0ccd4c96df38f5a5a37cdc9b88b72734a6ed0abbccbb09c9ccb1b0c7e5

memory/1148-17-0x0000000000DC0000-0x0000000001270000-memory.dmp

memory/212-18-0x00000000005E0000-0x0000000000A90000-memory.dmp

memory/212-19-0x00000000005E1000-0x000000000060F000-memory.dmp

memory/212-20-0x00000000005E0000-0x0000000000A90000-memory.dmp

memory/212-21-0x00000000005E0000-0x0000000000A90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\287dd4930a.exe

MD5 b4b7887bba964f06c545500381908ba9
SHA1 c8a668c954d459269b3fcf7d4f4359a5630f731c
SHA256 00d63a7e31523200db556616515fdd747cdfee7788adc5a5c946f2b6bcb8e4c5
SHA512 285acc9fe1b166dec1793e55c47abe5fe96d7edee670808f0b424f9bcf88d5027a9a29f74189625539c1dff9bc6cc8ca31b23df86982266f72d8bb436d55c018

memory/4188-40-0x0000000073A9E000-0x0000000073A9F000-memory.dmp

memory/4188-41-0x0000000000460000-0x0000000000590000-memory.dmp

memory/2068-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2068-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2068-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\956ba0e9e9.exe

MD5 e826e5dda653e04af408850d34bcde30
SHA1 ef68ca7be13805e1a4ce73320015567df98b07ff
SHA256 bdf3491c9a75b80277746b1d6c105da79a3b5fba637236b87dd4af15af33e3b2
SHA512 c2750171b88c7d138299b29341af7cd20d97c2a22f6cb82b5e7711cc28f7947ac943fbf9ba8c038f49678b1b38d6a752706242786ed627fa69db267690da3072

memory/4296-70-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4296-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/840-66-0x00000000003A0000-0x00000000003D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\7906e48338.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/3956-86-0x0000000000220000-0x0000000000463000-memory.dmp

memory/3956-87-0x0000000000220000-0x0000000000463000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\f01d6409-e002-4cae-af6a-8d537da57ff8

MD5 3f93b9b7cb633da17555c6b9bcd3eff1
SHA1 9d7d82054fb3a008d79146dde7f9cf89c91bfb0e
SHA256 93fed6b75d05654f4ea9e70b751a02d3367383facc81d4ff04e709ad2b6cb8a9
SHA512 3f780e3a4c7478131ada7469a66999d6c13b4f758fcdff44605761ad175d90dd0f23669aaa0dd3d4fae532770d6b79149cf196156ade50707480d71e3ab4513b

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\8f9c83ed-bb4f-4dc1-b6f0-636c00af5159

MD5 295aead7d1bb165208975d445c8bd15f
SHA1 d2c689583c9b4a8b7f8f3c23b404dcf0cf2a5494
SHA256 b4e1dc10f8307c8d7a8a2887c0273bd9340f094a8f54af7b8732f74058d307e3
SHA512 873b292ed5730781a199129a2069f417b4f45221a24c2b59529829cb642ef59bbed9cd2dc9fd1334d8cc080b175ab2838c9d9d3674caa5489c4e398f1ad99735

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 247e8d4a73bf6d392806f666e0456530
SHA1 2f14236a1b1c64c1c5d04262b064f3592e148709
SHA256 deb2051e550d77f075533ec713fc2c956a095b0d6cd6929e6ee4afcf8ce8b20d
SHA512 6bd8bbab48facb19c9bcec96d09e2f43df39f4f275eaa7fb9c1ce8a2c74b45f43d6079f8028920f4235ed7e9293c00d8002aac7925b704788cb460a660129864

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 3bbf8d50963fac9c2319bdea2c961d69
SHA1 1f9df882717dba0ae50815d831b5b99f7383d1eb
SHA256 f45b9b5b32f52039c513694fe9635c2d12c165b939dd0902bf52b20827247eb8
SHA512 ec8a087df5724184cfdd34760661077f260fa6e0c7e1979709ed38b651cec081a85c86d2a4bcf7d393a0742ad3d4893a55156f1166c297f078c949cf3e30230a

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\activity-stream.discovery_stream.json

MD5 01ac7a4a7050eeffdc399be6f4328250
SHA1 69f15fc79e886d106a2892e739bbe2b4724ab486
SHA256 904b21330c1cf8aa0fbd01b05e6e3ec1703106057a4be7c6f39ca6642c11f9bb
SHA512 38e80670624936e704d6a844c98383338884869369b0803aab37bc13eb37ce49864509ce82294bc6fd8aa6203d574ba46cc81bcc4f110babf8ecefddb2c8d239

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

MD5 a5e32b464a7bb339ab28f2ba8d355fe8
SHA1 b7980b94c555f0d456bb03342c710bad10fd179e
SHA256 33c0b251816599ed8d43cfb19c53de139664aae8fbcd92f8d60a48ced35f87e9
SHA512 cb2147a765bb6063419c620e871160b417754673b01b169729bba8c001a734e996aec89fabdb92e91b99c4ecf3427ec1c79cb33f647f9f551ccc1fdaabd8399a

memory/212-405-0x00000000005E0000-0x0000000000A90000-memory.dmp

memory/212-416-0x00000000005E0000-0x0000000000A90000-memory.dmp

memory/212-427-0x00000000005E0000-0x0000000000A90000-memory.dmp

memory/212-428-0x00000000005E0000-0x0000000000A90000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

MD5 3bce1625dedef6649f36cad10db103d3
SHA1 2be5624b878b66a01cf17be18edf66efa6f9f680
SHA256 0cd9534b5eaa27d33f140862c49f57ddf7b28776ee380e5f08b7c4daf500b68a
SHA512 c497597b0d49ec1b3fb4b773a457d14aa771e2272a6c3a1737472c8e3ee879fbfb7ab0555708ca298df1a5df2f08428c36e6ab30fa5f252d377287b8da41d912

memory/212-444-0x00000000005E0000-0x0000000000A90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 b512a27125d39872f175ecec1e1f70b5
SHA1 4238f7ea47829d871424dcbd8d2286b68f61e939
SHA256 f603f8cd65f4144ae628924629947557b8377bd64c4da1c26c81e450bb50502f
SHA512 c45696aef229a84cb3c48fb9a0d58ed38bbc3b9627e0912b345a3016c18cf078bdc1f064512e8fb42e1a49da625b0ad909345ca22c638c858ff753b313acfeff

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

MD5 d7622f78418e15e34ed6db4605bb50e0
SHA1 7ed6b35748980f28f61c81dfecaa151a8228f906
SHA256 748841e2fc42def588940e027f5625c0b883a52570614c7eaeb610fd7a1579f3
SHA512 96a969da68b33d2b5cb85a4b565027c010555cd628af2c563b09e3b7a6f96b22a7ab90e931ece0a3a002a33783baf84443131931ba1e044320f283234a53f9b9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 df6f5f2a3e7213865fb687b327f35383
SHA1 ccc09d70b21903c715513a393b5d2af95cf169a1
SHA256 f0906ed53339393044f2c2c72b7bd0d76ce87950dd85770700c7e0c6f9859c4e
SHA512 5143fb907ab69cd761202a0babdee21c50782abbdcf01dc41de4310e5130492a30a66b545802dd84b8f9f6fbb6d2f88ae1cea9cab25e6aa1e652df7879551183

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

MD5 a765ad194e80e5a65aa41568c3da7cfc
SHA1 9487fda1ed89fb5193ef81301eb28ce5a732d53d
SHA256 eaefe9414403d6c652c35859424493fd06c1ec3b2f4576eb574f6211f7fb221b
SHA512 1f43200167ad3e7e1b44d17883187f3cc1039eefb39e9b0d5a6b526262c04e8d29d61eadebf036bf063e665c22a4c7008aa7ac7951d3ad1f12c9d19a13f24097

memory/212-1609-0x00000000005E0000-0x0000000000A90000-memory.dmp

memory/5560-2613-0x00000000005E0000-0x0000000000A90000-memory.dmp

memory/5560-2619-0x00000000005E0000-0x0000000000A90000-memory.dmp

memory/212-2620-0x00000000005E0000-0x0000000000A90000-memory.dmp

memory/212-2621-0x00000000005E0000-0x0000000000A90000-memory.dmp

memory/212-2628-0x00000000005E0000-0x0000000000A90000-memory.dmp

memory/212-2629-0x00000000005E0000-0x0000000000A90000-memory.dmp

memory/212-2630-0x00000000005E0000-0x0000000000A90000-memory.dmp

memory/212-2631-0x00000000005E0000-0x0000000000A90000-memory.dmp

memory/3000-2633-0x00000000005E0000-0x0000000000A90000-memory.dmp

memory/3000-2634-0x00000000005E0000-0x0000000000A90000-memory.dmp

memory/212-2635-0x00000000005E0000-0x0000000000A90000-memory.dmp

memory/212-2636-0x00000000005E0000-0x0000000000A90000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

MD5 b9d371f11b4a8b5f28b2dfb7cec3edc9
SHA1 0dbabd17604f11f0385388e1117ae7b9f9747f64
SHA256 51e54e56c1f27946bfe02ab7805e0dc352478de440c0cdb8c60b5d2fd271e233
SHA512 fde2e6c356857dda87c17e30fe4f641197591ca38c379cefd88ae245d157568084de20a3c504708fd90ac0c4aeef458336530ade03a92b4c3379e1b7d6f14f2f

memory/212-2645-0x00000000005E0000-0x0000000000A90000-memory.dmp

memory/212-2647-0x00000000005E0000-0x0000000000A90000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-12 00:19

Reported

2024-08-12 00:21

Platform

win11-20240802-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Windows\CurrentVersion\Run\956ba0e9e9.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\956ba0e9e9.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4484 set thread context of 3408 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 set thread context of 1080 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\862076a506.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\2acf21079c.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3420 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3420 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 3420 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 4476 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe
PID 4476 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe
PID 4476 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe
PID 4484 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4484 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4484 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4484 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4484 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4484 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4484 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4484 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4484 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4484 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4476 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\862076a506.exe
PID 4476 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\862076a506.exe
PID 4476 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\862076a506.exe
PID 1796 wrote to memory of 3848 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 3848 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 3848 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 4064 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 4064 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 4064 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 2424 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 2424 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 2424 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1008 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1008 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1008 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1080 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1080 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1080 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1080 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1080 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1080 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1080 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1080 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1796 wrote to memory of 1080 N/A C:\Users\Admin\1000037002\862076a506.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4476 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2acf21079c.exe
PID 4476 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2acf21079c.exe
PID 4476 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\2acf21079c.exe
PID 3408 wrote to memory of 1596 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3408 wrote to memory of 1596 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1596 wrote to memory of 1344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1596 wrote to memory of 1344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1596 wrote to memory of 1344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1596 wrote to memory of 1344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1596 wrote to memory of 1344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1596 wrote to memory of 1344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1596 wrote to memory of 1344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1596 wrote to memory of 1344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1596 wrote to memory of 1344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1596 wrote to memory of 1344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1596 wrote to memory of 1344 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1344 wrote to memory of 1668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1344 wrote to memory of 1668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1344 wrote to memory of 1668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1344 wrote to memory of 1668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1344 wrote to memory of 1668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1344 wrote to memory of 1668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1344 wrote to memory of 1668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1344 wrote to memory of 1668 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe

"C:\Users\Admin\AppData\Local\Temp\ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\862076a506.exe

"C:\Users\Admin\1000037002\862076a506.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\2acf21079c.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\2acf21079c.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1952 -parentBuildID 20240401114208 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d272be49-d0a7-4c27-bb5b-c33d772f911b} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2368 -parentBuildID 20240401114208 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {58b5bcb1-e2c7-41b5-9b1a-33878b67c070} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3032 -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 3160 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b9a325c-858e-4cb5-8cfd-3eff045a9bef} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3660 -childID 2 -isForBrowser -prefsHandle 3652 -prefMapHandle 3648 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d891df1f-c586-4fa6-9ca1-487d14448944} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4720 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4712 -prefMapHandle 4708 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e780f50-0acf-4618-a85b-3d5f22ff7028} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 3 -isForBrowser -prefsHandle 5524 -prefMapHandle 4964 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9efe8be-256c-49d9-874d-cdae36239068} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5708 -childID 4 -isForBrowser -prefsHandle 5504 -prefMapHandle 5480 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7c6ad1e-de36-4baa-b53b-2a3e3d64de01} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5828 -childID 5 -isForBrowser -prefsHandle 5908 -prefMapHandle 5840 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52ee6c6b-4b26-40a8-86be-f7b536ce4b19} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6212 -childID 6 -isForBrowser -prefsHandle 6192 -prefMapHandle 6200 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9e95919-d9f2-44ad-b8f0-e62ca9dcac2d} 1344 "\\.\pipe\gecko-crash-server-pipe.1344" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49839 tcp
N/A 127.0.0.1:49848 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.117.188.166:443 spocs.getpocket.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.179.174:443 www3.l.google.com tcp
NL 142.250.179.174:443 www3.l.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
NL 142.250.179.196:443 www.google.com tcp
NL 142.250.179.196:443 www.google.com udp
GB 88.221.134.209:80 a19.dscg10.akamai.net tcp
NL 142.250.179.174:443 www3.l.google.com tcp
NL 142.250.179.174:443 www3.l.google.com udp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com tcp
DE 74.125.111.136:443 r3.sn-4g5edn6k.gvt1.com udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
NL 216.58.214.14:443 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/3420-0-0x0000000000860000-0x0000000000D10000-memory.dmp

memory/3420-1-0x0000000077BF6000-0x0000000077BF8000-memory.dmp

memory/3420-2-0x0000000000861000-0x000000000088F000-memory.dmp

memory/3420-3-0x0000000000860000-0x0000000000D10000-memory.dmp

memory/3420-4-0x0000000000860000-0x0000000000D10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 089886bf7e26432d1b8871ad0fad7a6f
SHA1 658b258103dfa62705e1a8d3a1cc3a0da105c9f7
SHA256 ef2f02b758860cfd61fad4e871636c0b4a8447e895baa8033d858ae0246a463e
SHA512 72006c3cfcbba34bfcbc8e4404eef75067ce5945529ae5802bc3b4a4790781ec032ded0ccd4c96df38f5a5a37cdc9b88b72734a6ed0abbccbb09c9ccb1b0c7e5

memory/3420-17-0x0000000000860000-0x0000000000D10000-memory.dmp

memory/4476-18-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/4476-19-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/4476-20-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/4476-21-0x00000000005B0000-0x0000000000A60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\956ba0e9e9.exe

MD5 b4b7887bba964f06c545500381908ba9
SHA1 c8a668c954d459269b3fcf7d4f4359a5630f731c
SHA256 00d63a7e31523200db556616515fdd747cdfee7788adc5a5c946f2b6bcb8e4c5
SHA512 285acc9fe1b166dec1793e55c47abe5fe96d7edee670808f0b424f9bcf88d5027a9a29f74189625539c1dff9bc6cc8ca31b23df86982266f72d8bb436d55c018

memory/4484-40-0x00000000735BE000-0x00000000735BF000-memory.dmp

memory/4484-41-0x0000000000BE0000-0x0000000000D10000-memory.dmp

memory/3408-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3408-46-0x0000000000400000-0x000000000052D000-memory.dmp

memory/3408-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\862076a506.exe

MD5 e826e5dda653e04af408850d34bcde30
SHA1 ef68ca7be13805e1a4ce73320015567df98b07ff
SHA256 bdf3491c9a75b80277746b1d6c105da79a3b5fba637236b87dd4af15af33e3b2
SHA512 c2750171b88c7d138299b29341af7cd20d97c2a22f6cb82b5e7711cc28f7947ac943fbf9ba8c038f49678b1b38d6a752706242786ed627fa69db267690da3072

memory/1796-66-0x0000000000410000-0x0000000000448000-memory.dmp

memory/1080-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/1080-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\2acf21079c.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4092-86-0x0000000000D10000-0x0000000000F53000-memory.dmp

memory/4092-87-0x0000000000D10000-0x0000000000F53000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\e0f51a9d-abef-4372-a7cb-6653e2d36ea1

MD5 ae1d8021082daf4c60f264cf54048436
SHA1 8a593004089b05c527240eac9bc89c61e43d6224
SHA256 84e67b07aefc61638ae9625c073433290a9169af7c542e69adcc59a5cc995895
SHA512 8bc04cedc99b42128ce8afbe5ad4a2a0503a6d8809325d383f50980a9c33b4a4c35046a85d9aa829d017e3a30e4f5a2948f70ca64cc41536fef7627331bf59b9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

MD5 e0f9b342eacc7cadd0748ea07c1e2869
SHA1 08786b2778e9f7b17daca6930dc72af375968c30
SHA256 928c0f0192bd68b94c90bb5f0cc4ab89378d079e68ddb3858ac7280d4febc2df
SHA512 88b37a4814ccdc60bc3c2d42e0370c12c845d887452fcad2e9b59a9668127422f56f060efd62e1c53f852eb953bbd66b390d6a2a1b377894a534f238b5e579d6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\pending_pings\3651c471-30e8-4cfd-a2e8-3ffaafd4727b

MD5 e527c15db8c9beddf3367ced57c996bc
SHA1 1be2b2731e656349e622cfca33bb4894a309cac0
SHA256 d592b4dc54613b4f1f51d6e5ab9a4a3c1b3a233dcb9eb7869a93122ac95ca28c
SHA512 c1dcbbe98a823a258fb2574172550f71774aa06c31173f22355fd73fa0f57a5d1e9556f5f394f5ed14f87a725db9990da5d0c07d5df1ee00407798c7a4e6ec2a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

MD5 048b0562edbb71d460867b8775dc54a3
SHA1 9d9868e03c19a73b882f5878aaf5a07bfbba0fd3
SHA256 2f89cd7316776ab3c83f27e99341fa3f5769c24f1d8f95cca39623f3ba4270a3
SHA512 5e0f8fc1f1ca8eb6b48213cc989504ebe458ea81fdd31fc1f5bcc310dfe2de628392f1b4d5d2ceafe206e74e0bd3f444a7f6c8f4406fca4f9373f8f071e98cab

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin

MD5 11a04ffb8a56dc73459bebc8cada4a9e
SHA1 32e26e072658e986c449b85415da75e22c73ddfc
SHA256 1c84a6f87f267431a6346f3d6b71820da4b2f27ec50f741c61df3df8bea5146d
SHA512 dadfe10ea7705f7491c0d4ff8060230d45dc16edb8e616d0c7498f00a7cfa627c438574201539c260129375c457ad6a592032293a8fc10b2aacac71bcf653803

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\activity-stream.discovery_stream.json

MD5 2ac362a52039a5922510cdc8c9ee0276
SHA1 1c95973d8ac54dd3e7bd642c2e00eb7c9ab760ca
SHA256 27c421c684b7f3b3fba22ce67f9d931fac4dc1542d896dcec74c0f7f397d6b27
SHA512 1d99042759bf9e744d9965784cd8ddc4c225da194da650b454960f806547224d06ab71a4f2da4dc262c7546eb7702444d75bbc292cba08fa185e593eb71a84a1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\AlternateServices.bin

MD5 b7171d1f303692170ed29432880f8b6f
SHA1 4b9e3275c949e8db3cdc699abeaee0cfb7ecb406
SHA256 143ab86c08e7e1230c5e24546149242b77dfd080a5e076bb04cecc94ea1ea847
SHA512 be51d0d9313735e30e73a2a832cfae3072cd1c6914d5ca9bbf95a0bbca53d52cdff50d47ec0721117229ef1c00988ac11ce06e4c3f4e259be4aeccdb57922657

memory/4476-402-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/4476-419-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/4476-422-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/4476-423-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/4476-428-0x00000000005B0000-0x0000000000A60000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

MD5 fa71151beb808c8e158ae6eda226fa7e
SHA1 8d3386bbf885edfeba60a41f3cc98d96e882e28c
SHA256 c926d5789236d8dd34cdebd6ba7b9bf0c1e0f1a3152ffc10d7b2476fa3b2d6b6
SHA512 341bfed3eba158ef148766995ecf852c4d6b376b6ea669c1dd8a370f9c8244c4fe41d1e250ecd3061d86f26c68e972c1d7107cf187c236474de05a24be4aa32c

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs-1.js

MD5 5de705aaef068cf2300e9e475e484595
SHA1 299b087f8d7f568da636b04b6f5cdb77be382890
SHA256 f6df3ff53e5ff4eb775c7fe9166ca5eb151ffca36945f4ce090d0dd51f1be017
SHA512 d9655c51c9d8d79c01b4f6b56838a37ac6f19599ff8dd47fb8942ee8dede9921c699a8959cda351da3158bb774e777a3a7589412778a9b3e054494c5d579f911

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pzaexue0.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 e5a22c6f531aa155abb9ce2f72d9f2bf
SHA1 6e65c3e4cb8ea5040c9f415f76ef04a7b27e7fdd
SHA256 0e79c60b5c0651cdd1fbe641cac40ede80ce15f4b3e9097299ba03a00d03d45e
SHA512 b8d94727edca57596b6e7724c0268c67059561c53176b66e6823671e001c34c91a5ccd2b4d1fcecb53b63bd825b881a4df688995b3f509be4d58d9bafeb93537

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 83e0dc026c821198609fab4ad6d1fc96
SHA1 0511441d74d67ae24ba0750b74026853d6a65748
SHA256 d0f381a1493c5d8bf38afd240b8398be5ba2de077232f33b4d4068795018ad71
SHA512 f152a457ebc338b39a11b430f522fd94916620b1d86c994fbc4fe37ff3d5174eeedc953e15f68a88fc1c764e7a2faa6e2a2943d50ef1f79181e889d18bac7d5c

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\prefs-1.js

MD5 ae185a0def0fcc971d93e718fb28c012
SHA1 9cf3f91c017fff67bfd874e0280cc4b1986055b5
SHA256 d00dfb18247eb193c7894b6566f607f584894f15eb31583e153074ab1c715082
SHA512 66494c764ccede73f631ba56f0df4fe03a3e8fe39b94463571da5dd3475fc600eb4b12ac59b3768f7edc16f5f903275373582efeb75181418c7c7817c6a2ca00

memory/4476-933-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/2216-2075-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/2216-2122-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/4476-2317-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/4476-2588-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/4476-2594-0x00000000005B0000-0x0000000000A60000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pzaexue0.default-release\datareporting\glean\db\data.safe.tmp

MD5 1cda6583524728632df5d1e63084e8ca
SHA1 76db7dea43e03608e29dbdf29db7d8c1224d69b0
SHA256 87de0b96b83ae76efeab1c207250bac583a7d277a24c343a34c9758acece8a0c
SHA512 9b7e93e580312159ec1370c6c669bcf63eece27f76a69d876e769a1e1de0ca86d24a8ffbd8786d9146d14c1a45c8627780253d68da1c5b2dee97f09f22347e4e

memory/4476-2598-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/4476-2599-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/4476-2600-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/4092-2602-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/4092-2604-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/4476-2605-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/4476-2606-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/4476-2615-0x00000000005B0000-0x0000000000A60000-memory.dmp

memory/4476-2617-0x00000000005B0000-0x0000000000A60000-memory.dmp